VS Code has inherent security concerns due to the dynamic and unbounded nature of JavaScript combined with the attack surface introduced by its extensibility and web-based architecture. Electron (the JS interpreter used) has a dynamic web-based attack surface. Even if you mapped it out, it can change at any time thanks to the changing nature of JS standards.

Furthermore, the security issue with extensions in VS Code is well documented. And the obvious bit is it's executing code sometimes, arbitrary user code and extension code. Telementry, etc. are built in. It's really up to the user to use it in a secured manner. A lot of people just don't consider this.